Malicious PDF — malware analysis report

Static analysis result for SHA-256 260831a753d26d03…

MALICIOUS

PDF

244.7 KB Created: 2021-06-18 23:04:11 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-24
MD5: ec88e0bfbc7c03d903ad734936de5dea SHA-1: 25884e061720a415ed7855043a113d0ec0e557bf SHA-256: 260831a753d26d0373f14c48cb57ca494d507dac16c13fee7640abe6d492f272
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by ML classifiers and ClamAV as malicious, specifically as a phishing trojan. It contains numerous links, with one pointing to compromised WordPress upload storage, indicating a likely phishing or malware distribution attempt. Although no scripts were explicitly extracted, the PDF structure and embedded URLs suggest it is designed to redirect users to malicious sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9986

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://guides2alpes.org/uploads/file/63472953631.pdf In PDF document text
    • http://admio.ru/wp-content/plugins/formcraft/file-upload/server/content/files/160893e65c5ae4---lufojotole.pdfIn PDF document text
    • https://tecnibat.net/uploads/archivos/49964567997.pdfIn PDF document text
    • https://roadtoring.com/wp-content/plugins/super-forms/uploads/php/files/9a8334cb49faaad9728c80ea0caf4d08/fasijagiwixalutaxugef.pdfIn PDF document text
    • https://www.birdandwildlifeteam.com/wp-content/plugins/formcraft/file-upload/server/content/files/160960139ed71e---63356155371.pdfIn PDF document text
    • https://profbuhotchet.ru/wp-content/plugins/super-forms/uploads/php/files/fa74c38739cfc875e70490265ecf9d78/bepidin.pdfIn PDF document text
    • https://veritiesinstitute.com/wp-content/plugins/super-forms/uploads/php/files/e91c1974846be15e193c61fcefcf960b/gitadaxorajilonemitolop.pdfIn PDF document text
    • https://infravoip.com/wp-content/plugins/super-forms/uploads/php/files/070ecc3ea99e6fd12b6ffe640fc0cbdb/zamifibaju.pdfIn PDF document text
    • https://www.goldenplanet.dk/wp-content/plugins/formcraft/file-upload/server/content/files/160950e7dc5a20---maxebufufesamisuri.pdfIn PDF document text
    • http://iideree.org/wp-content/plugins/formcraft/file-upload/server/content/files/1608927f371429---98377472802.pdfIn PDF document text
    • http://faw-asia.com/image/upload/files/17903042732.pdfIn PDF document text
    • https://alcc.vn/wp-content/plugins/super-forms/uploads/php/files/uvk5sd5jhfle60q8m0i0derarg/mujezafiwoxob.pdfIn PDF document text
    • https://elitteaccesorios.com/wp-content/plugins/super-forms/uploads/php/files/82hgk6g5gec25pvj3jbd2oq8qf/pesuwonudoxinex.pdfIn PDF document text
    • http://www.canadavisaservices.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607e8e96b4444---39888042888.pdfIn PDF document text
    • http://espacioschillout.es/images/admin/file/21839582204.pdfIn PDF document text
    • http://fortlauderdalelimorental.net/wp-content/plugins/formcraft/file-upload/server/content/files/160ccd35f2f922---fogosubuke.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://feedproxy.google.com/~r/Uplcv/~3/BkSY9tpko7c/uplcv?utm_term=evakiss+good+girl+gone+badPDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00038468.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x38468 5212 bytes
SHA-256: af2fa114a6733994f8323a24cd8978233d75cbde08c51cc4aacafa8ef223e03d
font_01_sfnt_off00039636.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x39636 14568 bytes
SHA-256: 41c128bff47aa385126b7ecae63d89b81b5e8a161c1c8c028452de830b1c44ce